Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to use RedShell to record command execution in the Cobalt Strike team server". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Overview

RedShell is an interactive command line tool that helps researchers execute commands through proxychains (a command line proxy artifact) and automatically log command execution in the Cobalt Strike team server.

Tool download

Researchers can use the following commands to clone the source code of the project locally:

Git clone https://github.com/Verizon/redshell.git tool installation

RedShell is based on Python 3 development, so you need to install the Python 3 environment on the local host. In addition, the operation of RedShell also needs to install and configure the Cobalt Strike client in the system.

Install dependent components:

Pip3 install-r requirements.txt

Install proxychains-ng [portal]:

Apt install proxychains4

Provide executable permissions to the agscript wrapper:

Chmod + x agscript.sh tool use

First, we need to open a socks listener in the Beacon of the Cobalt Strike client.

Next, Use the following command to run RedShell:$ python3 redshell.py _ / / _ / / / _ / / _ / _ _ / \ _ _\ / _ _\ / _ _ / _ _ / / / _ / / _ /\ _ / RedShell > display help information: RedShell > help Documented commands (use 'help-v' for verbose/'help 'for details): = beacon_exec connect help pwd shell use_pivotcd disconnect history quit show_pivotsconfig exit load_config set status Settings option: RedShell > set option VALUE connects to Cobalt Strike

Set the Cobalt Strike connection options:

RedShell > set cs_host 127.0.0.1RedShell > set cs_port 50050RedShell > set cs_user somedude

Connect to the Cobalt Strike team server (at this point you need to enter the password for the team server):

RedShell > connectEnter Cobalt Strike password:Connecting... ╔═══╤═══╗║ CS team server status │ Connected via somedude_redshell@127.0.0.1:50050 ║╟─── ─┼───╢║ Socks port status │ Disconnected ║╚═ ═╧═══╝

Alternatively, we can load configuration information from the configuration file. It is important to note that the password requested by the team service cannot be read from the configuration file. After entering the password in RedShell, the tool will help us connect to the server automatically:

$cat config.txtcs_host=127.0.0.1cs_port=12345cs_user=somedudeRedShell > load_config config.txtConfig applied: ╔══╤═══╗║ Redshell Install directory │ / opt/redshell ║╟──┼───╢║ Proxychains config │ / opt/redshell/proxychains_redshell.conf ║╟──┼───╢║ CS install directory │ / opt/ Cobaltstrike ║╟──┼───╢║ CS team server │ 127.0 . 0.1 ║╟──┼───╢║ CS team server port │ 50050 ║╟──┼───╢║ CS user │ somedude_redshell ║╟──┼───╢║ Socks port │ ║╟──┼─── ───╢║ Beacon PID │ ║╟──┼─ ─╢║ Password │ ║╚══╧══ ═╝ Enter Cobalt Strike password: ╔═══╤═══╗║ CS team server status │ Connected via somedude_redshell@127.0 . 0.1:50050 ║╟───┼───╢║ Socks port status │ Disconnected ║╚═══╧═══╝

Show available agents:

RedShell > show_pivots ╔═╗║ ID Alive Socks Port PID User Computer Last ║╠════ ══╣║ 1 True 22200 8948 Administrator * WS02 16ms ║╟─── ───╢║ 2 True 54212 7224 Administrator * WS03 39ms ║╚═ ═╝

Select an agent (this option can be set only if the connection between the client and the team server is established successfully):

RedShell > use_pivot 2 ╔═══╤═══╗║ CS team server status │ Connected via somedude_redshell@127.0.0.1:50050 ║╟ ───┼───╢║ Socks port status │ Connected via socks port 54212 @ beacon PID 7224 ║╚═ ═╧═══╝

Check the configuration information:

RedShell > config ╔══╤═══╗║ Redshell install directory │ / opt/redshell ║╟ ──┼───╢║ Proxychains config │ / opt/redshell/proxychains_redshell.conf ║╟─ ─┼───╢║ CS install directory │ / opt/cobaltstrike ║╟─ ─┼───╢║ CS team server │ 127.0.0.1 ║╟── ──┼───╢║ CS team server port │ 50050 ║╟ ──┼───╢║ CS user │ somedude_redshell ║╟──┼───╢║ Socks port │ ║╟──┼───╢║ Beacon PID │ ║╟──┼───╢║ Password │ ║╚══╧═══╝

Check the running status:

RedShell > status ╔═══╤═══╗║ CS team server status │ Connected via somedude_redshell@127.0.0.1:50050 ║╟─── ─┼───╢║ Socks port status │ Connected via socks port 54212 @ beacon PID 7224 ║╚═ ═╧═══╝

Commands are executed through the Beacon socks agent and can be executed using the current user rights or sudo. All commands are executed through proxychains:

RedShell > beacon_exec-husage: beacon_exec [- h] [- t TTP]. Execute a command through proxychains/beacon socks proxy and simultaneously log it to the teamserver. Positional arguments: command Command to execute through the proxy. Optional arguments:-h,-- help show this help message and exit-t TTP,-- ttp TTP MITRE ATT&CK Tactic IDs. Comma delimited to specify multiple.example:beacon_exec-t T1003 T1075 cme smb-- local-auth-u Administrator-H C713B1D611657D0687A568122193F230-- sam 192.168.1.1RedShell > beacon_exec cme smb 192.168.1.14 [proxychains] config file found: / etc/proxychains.conf [proxychains] preloading / usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.14 [proxychains] Strict chain. 127.0.0.1 Administrator 48199. 192.168.1.14445. OK [proxychains] Strict chain... 127.0.0.1:48199... 192.168.1.14:135... OK [proxychains] Strict chain... 127.0.0.1:48199... 192.168.1.14:445... OKSMB 192.168.1.14 445 TESTNET-DC1 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:TESTNET-DC1) (domain:TESTNET) (signing:True) (SMBv1:True)

It is important to note that in the password used by the beacon_exec command, special characters may be resolved to shell metacharacters, which will cause the command execution to fail. To solve this problem, we can set the password option and then use "$password" to make the call:

RedShell > set password Test12345password-was:''now:' Test12345'RedShell > beacon_exec cme smb-- local-auth-u administrator-p $password-- shares 192.168.1.14

For the RedShell and CS installation directory options, the script needs to know the specific path, and the relevant configuration commands are as follows:

RedShell > set redshell_directory / opt/redshellRedShell > set cs_directory / opt/cobaltstrike common functions

RedShell provides the following commands to help researchers view the file system:

RedShell > cd / opt/redshell/RedShell > pwd/opt/redshell

We can also use shell commands or "!" Short commands to view other available commands:

RedShell > shell dateMon 29 Jul 2019 05:33:02 PM MDTRedShell >! dateMon 29 Jul 2019 05:33:03 PM MDT

Track the command execution record and view the history:

RedShell > history 1 load_config config.txt 2 status 3 help

RedShell also provides Tab command completion or CTRL+ l key combination to clean up terminal window information.

This is the end of "how to use RedShell to record command execution in the Cobalt Strike team server". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.